commit 8763716bfe4d8a16bef28c9947cf9d799b1796a5
author Shaun Tancheff <shaun@tancheff.com> Wed Feb 22 19:47:19 2006 -0800
committer Greg Kroah-Hartman <gregkh@suse.de> Tue Feb 28 12:42:06 2006 -0800
tree f0e8d0dcbf55953ea084f110c013743716b2a068
parent d5ec33490c67affef93aebf76e1238260c82d377

[PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow)

Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space
for the data attached to the reply, and not the reply structure
itself. This caused other kmalloc'd memory to be corrupted.

Signed-off-by: Shaun Tancheff <shaun@tancheff.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

drivers/usb/gadget/rndis.c

diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
index 9689efe..6d6eaad 100644
--- a/drivers/usb/gadget/rndis.c
+++ b/drivers/usb/gadget/rndis.c
@@ -853,11 +853,14 @@
 	// DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID));
 	if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP;
 	
-	/* 
-	 * we need more memory: 
-	 * oid_supported_list is the largest answer 
+	/*
+	 * we need more memory:
+	 * gen_ndis_query_resp expects enough space for
+	 * rndis_query_cmplt_type followed by data.
+	 * oid_supported_list is the largest data reply
 	 */
-	r = rndis_add_response (configNr, sizeof (oid_supported_list));
+	r = rndis_add_response (configNr,
+		sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type));
 	if (!r)
 		return -ENOMEM;
 	resp = (rndis_query_cmplt_type *) r->buf;